b'HHS/OIG-Audit--"Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness for the Division of Computer Research and Technology, National Institutes of Health, (A-17-97-00013)"\nDepartment of Health and Human Services\nOffice of Inspector General -- AUDIT\n"Report on Policies and Procedures Placed in Operation and Tests of Operating\nEffectiveness for the Division of Computer Research and Technology, National\nInstitutes of Health," (A-17-97-00013)\nJanuary 30, 1998\nComplete Text of Report is available in PDF format (3.2\nmb). Copies can also be obtained by contacting the Office of Public Affairs\nat 202-619-1343.\nEXECUTIVE SUMMARY:\nThe Department of Health and Human Services (HHS) Division of Computer Research\nand Technology (DCRT) provides a variety of data processing services on a fee-for-service\nbasis to the National Institutes of Health and other HHS agencies. Ernst &\nYoung\'s (E&Y), certified public accountants, under contract with the HHS\nOffice of Inspector General, reviewed DCRT\'s policies and procedures to determine\nwhether: (1) the description of DCRT policies and procedures presents fairly,\nin all material respects, the aspects of DCRT\'s policies and procedures that\nmay be relevant to a user organization\'s internal control structure, (2) the\ncontrol structure policies and procedures were suitably designed to achieve\nthe control objectives specified in the descriptions, and (3) such policies\nand procedures had been placed in operation as of September 30, 1997.\nThe E&Y determined that DCRT is not able to control monitoring and administration\nof computer machine room access privileges. This resulted in the policies and\nprocedures not being suitably designed to achieve the control objective that\nstates, "Control structure policies and procedures provide reasonable assurance\nthat physical access to the computer center and other sensitive areas, and operations\nof the computer and related processing equipment is restricted to appropriately\nauthorized individuals."\nThe E&Y concluded that the description of DCRT operations presents fairly,\nin all material respects, the relevant aspects of DCRT\'s policies and procedures\nplaced in operation as of September 30, 1997. Also, E&Y concluded that the\ncontrol structure policies and procedures, except for the matters described\nin the preceding paragraph, are suitably designed to provide reasonable assurance\nthat the specified control objectives would be achieved. Lastly, E&Y concluded\nthat the control policies and procedures tested were operating with sufficient\neffectiveness, except for the matters described in the second paragraph above,\nto provide reasonable, but not absolute, assurance that the control objectives\nspecified were achieved during the specified period.'